Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory

Avaddon

Also known asavaddon

Avaddon is a ransomware group/RaaS operation active since June 2020 that shut down in 2021 after sending 2,934 victim-specific decryption keys to BleepingComputer, enabling Emsisoft to release a free decryptor. Before its shutdown, its leak site published 182 victims, while reporting cited average ransom demands of about USD 600,000. The group is associated with double extortion and has also been cited in reporting on triple-extortion tactics. Avaddon deletes backups and shadow copies using native system tools to inhibit recovery. Reporting also links Avaddon to use of the BitMix cryptocurrency mixing service and to First VPN Service infrastructure for network reconnaissance and intrusions. Multiple sources in the content state that NoEscape emerged as a rebrand or spin-off of Avaddon after Avaddon’s 2021 shutdown. The content also notes claimed ties between sanctioned LockBit-linked actor Ivan Gennadievich Kondratiev and Avaddon, and that ransomware affiliate Bassterlord claimed to have worked with the Avaddon gang.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

MITRE ATT&CK

Tradecraft

25 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics43 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
2 techniques
T1583
Acquire Infrastructure
T1583.003
Virtual Private Server
T1588
Obtain Capabilities
T1588.002
Tool
TA0001
Initial Access
2 techniques
T1078
Valid Accounts
T1133
External Remote Services
TA0002
Execution
1 technique
T1204
User Execution
T1204.002
Malicious File
TA0003
Persistence
4 techniques
T1078
Valid Accounts
T1112
Modify Registry
T1133
External Remote Services
T1547
Boot or Logon Autostart Execution
T1547.001
Registry Run Keys / Startup Folder
TA0004
Privilege Escalation
3 techniques
T1055
Process Injection
T1078
Valid Accounts
T1547
Boot or Logon Autostart Execution
T1547.001
Registry Run Keys / Startup Folder
TA0005
Stealth
6 techniques
T1027
Obfuscated Files or Information
T1027.002
Software Packing
T1055
Process Injection
T1070
Indicator Removal
T1070.004
File Deletion
T1078
Valid Accounts
T1140
Deobfuscate/Decode Files or Information
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
TA0112
Defense Impairment
1 technique
T1112
Modify Registry
TA0007
Discovery
3 techniques
T1069
Permission Groups Discovery
T1482
Domain Trust Discovery
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.001
Remote Desktop Protocol
TA0009
Collection
1 technique
T1560
Archive Collected Data
T1560.001
Archive via Utility
TA0011
Command and Control
3 techniques
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1105
Ingress Tool Transfer
T1573
Encrypted Channel
TA0010
Exfiltration
1 technique
T1567
Exfiltration Over Web Service
T1567.002
Exfiltration to Cloud Storage
TA0040
Impact
2 techniques
T1486
Data Encrypted for Impact
T1498
Network Denial of Service
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping25

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.